The importance of ethics: At a time when companies are conducting business at the speed of thought, it is prudent for internal auditors to keep risk management in their thought process - Risk Watch

Internal Auditor, Feb, 2002 by Larry D. Hubbard, James Roth, Donald Espersen

HE COMMITTEE OF sponsoring Organizations of the Treadway Commission's (COSO) Internal Control -- Integrated Framework provides a framework, or model, for meeting business objectives. According to the private-sector group, internal control systems help achieve business objectives and consist of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. Auditors can use this framework as an "agreement" with management about what to review in their audits.

The base of this agreement is the control environment, or corporate culture. Ethics and integrity are essential to the structure of corporate culture and examples of what have come to be called "soft controls" -- intangible, difficult to verity, essential controls necessary to run any organization.

Lack of soft controls, such as management philosophy, integrity, and ethics, increases the possibility that other, more traditional controls, such as approvals and reconciliations, may be overridden. Soft controls are the primary focus of many newspaper articles we're seeing now on the unfolding bankruptcy of Enron Corporation.

RATING SOFT CONTROLS

Auditors can begin to evaluate soft controls by answering the following:

1. Regarding the organization's core beliefs, my supervisors and associates:

* Don't know what they are.

* Think they are just words people use.

* Strive to achieve them.

2. The culture and level of integrity of people in my workplace are:

* Going downhill.

* About the same.

* Getting better.

3. Our organization's reputation in my community is:

* Getting worse.

* Remaining steady.

* Getting better.

4. Our organization's business ethics policies:

* Are unknown to me.

* Are for appearances only.

* Are known and followed.

5. Our organization's policies and procedures:

* Are in shambles.

* Are sometimes useful.

* Help me do my job.

Auditors who predominantly choose the last answer probably work for an organization that has ethics and integrity -- two soft controls that help in achieving business objectives. Auditors who choose mostly the first and second answers are with companies that can still meet business objectives, be profitable, increase shareholder value, and strive to achieve stakeholders' aspirations. However, the risk formula changes if ethics and integrity are not considered important in meeting business objectives.

Ethical risks increase and business objectives may fail, not because of specific internal or external threats, but because management's philosophy or operating policy is wrong for the circumstances, there is a low level of commitment to competence, or even because Wall Street doesn't trust management's ability to report financial results.

GATHERING AUDIT EVIDENCE

To ensure that internal controls are effective, auditors need to gather audit evidence and information about ethical risks in their organizations. Normally, auditors use one of three methods to gather soft-control information: structured interviews, self-assessment workshops, and self-assessment questionnaires.

In a structured interview, auditors ask the same questions of many people (20, 30, or more employees) at different levels of the organization. If they get substantially the same answers, the consistency of the answers constitutes audit evidence -- as auditors, we believe it to be true. For example, auditors could use the five statements above to provide audit evidence of the ethical climate of the organization if almost everyone interviewed gave the same answers. It's not as persuasive as audit evidence if the answers differ, because that shows that everyone does not view those items the same way.

Auditors also use self-assessment workshops, where a facilitator asks soft-control questions, to gather audit evidence. Facilitators often use anonymous voting technology to ensure accurate results and eliminate the fear of reprisal.

Finally, many auditors also use self-assessment questionnaires to ask soft-control questions. Many audit groups follow the questionnaires with group meetings, or workshops, to discuss the results.

ACHIEVING MANAGEMENT BUY-IN

Management doesn't always see the merits of gathering information about ethical risks in their organizations or the value of the COSO approach to internal controls. Auditors have a responsibility to reach an agreement with management on what internal controls mean in the organization and the level to which management will buy in to the COSO definition.

If an organization's internal control definition focuses on meeting business objectives and the importance of soft controls, as COSO does, auditors must be sure management understands that that is the case. There could even be a training curriculum that teaches managers how to meet business objectives. Internal auditors would be wise to modify the COSO concepts or those training curriculum concepts to be consistent when talking about the role of internal controls in meeting business objectives.

Before concluding that the COSO model is the right path for their organization and beginning to provide management with soft-control information, auditors might first want to consider several questions: